Becoming An Effective ISO 13485:2016 Auditor 101
Becoming an EffectiveISO 13485:2016Auditor 101Planning and Conducting QMS Audits that Yield Useful Results(and Add Value to the Business)orielstat.com 800.472.6477
Conducting an ISO 13485 QMS internalaudit? Here’s how to prepare.CONGRATULATIONS! You have been chosen (or perhaps conscripted) to conductor participate in an ISO 13485 internal quality management system (QMS) audit.For many, the prospect of coordinating and conducting an audit can be terrifying.However, believe us when we say the terror subsides with each hour of planningyou do. In this white paper we will talk about how you can lay the foundation toensure that your ISO 13485 audit progresses smoothly, yielding input that’s usefulto your company’s management review as well as its corrective and preventiveaction (CAPA) processes.The Real Purpose of the Medical Device QMS AuditEven though it seems obvious, it’s worth repeating that the purpose of conducting an audit is todetermine whether the QMS conforms to specified requirements and is effective in enabling yourorganization to meet quality objectives. In other words, you are trying to assess whether the organization’s system says what it needs to say, that you’re doing what you say you’ll do, and that whatyou’re doing is working to produce the outcomes you need. A QMS audit is not intended to evaluatethe quality of products, nor does it focus on the performance of people. The emphasis is on the QMSprocesses and the effectiveness of the entire system in meeting defined requirements and objectives.A QMS audit is not intended to evaluate the quality of products, nor does it focus on theperformance of people. The emphasis is on the QMS processes and the effectiveness of the entiresystem in meeting defined requirements and objectives.On the following pages we share auditing best practices garnered from over 50 years of trainingQMS auditors and conducting audits on behalf of our customers.2orielstat.com 800.472.6477
Basic Types of ISO 13485 AuditsAudits are planned, systematic processes carried out according to prepared working documents and audit plans. ISO 13485 talks about two main components of internal audits (section 8.2.4): Confirming that the organization’s QMS documentation conforms to the standard and any applicable regulatory requirements – commonly called a documentation audit. Confirming that the organization has implemented and is maintaining the QMS documentation –commonly called an on-site audit.While documentation and on-site audits may seem like two entirely different animals, they are not.A thorough QMS audit includes both components. The difference between the two usually is in theapproach and depth to which each of these audit components is conducted. The focus of the documentation audit centers on whether the QMS has been established and documented, while the on-siteaudit looks at whether the QMS has been implemented and maintained.A full QMS audit has four primary goals:1. Determine the extent to which the QMS has been established.2. Determine whether or not the QMS has been documented in accordance with applicable requirements – also known as audit criteria (e.g., ISO standard, applicable regulations, contracts).3. Determine if the QMS has been effectively implemented.4. Determine whether or not the QMS has been properly maintained.DOCUMENTATION AUDITAUDITCRITERIA ISO STEM Policies (manual) System procedures Work instructions(as time permits)ON-SITE AUDITPRACTICES Records Observed behavior Interviews800.472.6477 orielstat.com3
Developing Your Overall ISO 13485Audit ScheduleA well-planned audit schedule will ensure that audits are performed regularly, are conductedaccording to the importance of the process, and address the results of previous audits.Developing a master audit schedule is the first step toward planning audit activities for the year.Individual audit leaders will construct the individual audit plans to meet the schedule. An example ofa master internal audit schedule is shown below. A similar one could be developed to plan yoursupplier audits for the year.A typical ISO 13485:2016 internal audit will generally cover 2-4 areas of the organization each month throughoutthe year, depending on the size of the company.AUDIT PROCESSESJANFEBMARAPRMAY Inspection – ProcessInspection – Final Standards Lab Testing Trainingorielstat.com 800.472.6477 Sales NOV Quality Control4OCT Quality AssuranceWarehousingSEP PurchasingShippingAUG Inspection – IncomingEngineeringJUL Contract AdministrationDesignJUN DEC
Preparing for Your ISO 13485 QMS AuditWhen planning an audit, it is tempting to skip some of the steps below and go immediately to creatinga checklist and schedule. However, the process of initiating the audit is vital to the audit’s success.Here are the steps you should take.12345Appoint the lead auditor. The first basic step is to figure out who will lead the audit team. Ifyou work for a small company, that might be you! This person will be responsible for allphases of the audit.Define audit objectives, scope, and criteria. This is an important step. You need to definewhich facilities and/or departments are involved and which processes will be audited. Defining the audit criteria (i.e., ISO 13485:2016) and additional applicable regulatory requirements(e.g., 21 CFR 820 and/or EU Medical Device Regulation 2017/745) is also imperative.Determine the feasibility of the audit. You need to ensure that you will be able to conductthe audit as planned. Will you have adequate cooperation from auditees? Are any of thepeople involved working on a major deadline that would take away from their participation?Will any of them be on vacation? Is there adequate time and budget to conduct the audit? Willall the information you need be made available to you? Don’t assume. Verify.Select the audit team. If your company is small, you may comprise the “team.” If yourcompany has more than, say, 150 employees, insources design, makes high risk-products,etc., it is possible that you may need 2 auditors on your team. In selecting the audit teammembers, consider which competencies are needed, how long your audit will last, the scopeof the audit, and time constraints. The first rule of auditing is that an auditor cannot examinean area for which he/she is responsible.Regarding competence, consider this example: An auditor who needs to interview management regarding management processes (e.g., resource processes, results processes, etc.)should have some minimal business experience. An auditor who needs to verify process orproduct measurements may need to have knowledge of quality and statistical tools. That’swhy ISO defines competence in terms of education, training, skill, experience, and personalattributes.Establish initial contact with the auditee(s). With a lead auditor chosen, the team determined,the scope defined, and other factors considered, it’s time establish contact with your auditees.Make sure affected members of your organization (or your supplier) understand the scope ofthe audit you are conducting, when the audit will be conducted, and who is on the team.Request access to all relevant documents and, if you are auditing a supplier, ask for a map orsketch of their facility that has the departments clearly labeled.800.472.6477 orielstat.com5
Conducting a QMS Documentation ReviewThe purpose of the documentation review is to determine whether or not the QMS has beenestablished and documented. Accordingly, where possible, try to review all documentation beforethe on-site audit activities commence. This will help you prepare for the on-site audit effectively andefficiently. Typically, auditees are required to submit a quality manual and procedures before theon-site audit.The documentation should cover relevant information regarding the QMS (e.g., scope, exclusionsthat may exist) and any additional requirements beyond ISO 13485 and applicable regulatoryrequirements (e.g., customer requirements and/or supplier agreements). It should represent thedocumented quality management system as required by ISO 13485 in paragraphs 4.2.1 and 4.2.2 orother applicable criteria. If you are auditing a supplier, sometimes it might not be possible to get thequality manual ahead of time for proprietary reasons. If that’s the case, allocate time for a review atthe beginning of the on-site audit. Organizational charts are helpful, so make sure you get a copy.In addition to the manual and procedures, review: Promotional literature and website pages Previous audit findings and status of corrective actions Supplier agreements (if auditing a supplier)Role of the Lead AuditorEvery audit has a lead auditor – even if it’s the only auditor! This person represents theteam in communication with the auditee and management. The lead auditor also defines therequirements of each audit assignment, including qualification of other audit team members.Here are some of the lead auditor’s additional responsibilities: Plan the audit. Assign audit responsibilities to each audit team member. Make effective use of resources during the audit. Organize and direct audit team members. Provide direction and guidance to auditors in training. Lead the audit team to reach conclusions. Prevent and resolve conflicts during the audit. Prepare and complete the audit report.6orielstat.com 800.472.6477
Creating the QMS Audit PlanStarting an on-site audit without a detailed plan is a surefire way to waste a lot of time, frustrate alot of people, and leave without generating useful output. In an ideal world, you should spend2 hours planning every hour of audit time. A detailed audit plan should cover: Audit objectives and scope Audit criteria and reference documents Locations, dates, times, and duration of audit activities Audit method to be used, including the extent of sampling Roles and responsibilities of the audit team members, guides, and observers Allocation of appropriate resources to critical areas of the audit Logistics and communications arrangements (usually for supplier audits)This is an example of an internal audit plan for a single internal process.AUDIT PLAN FOR ISO 13485PURPOSE: Quality System Evaluation ofDesign/Development Control for ISO 13485SCOPE: Design Control for Med-i-CareAUDITORSEPTEMBER 20, YYYY9–9:15J.T. Kirk (Lead)H. SuluAUDITEE: Dept. 31 – EngineeringREPRESENTATIVE: G. HillLEAD AUDITOR: J.T. KirkPRODUCT: Surgical ToolsOpeningMeeting9:30–10:3010:45–11:45Design and DevelopmentPlanning and FilesDesign and Development Transferand ChangeDesign Input/OutputDesign and Development Review,Design and DevelopmentVerification and ValidationOpening Meeting: 9:00 September 20, YYYYClosing Meeting: 12:30 September 20, YYYY12:30–1:30ClosingMeetingNote: List of applicable procedures to be audited is attached.J.T. KirkPrepared by:August 23, YYYYJ.T. KirkM. ScottApproved by:August 24, YYYYM. Scott800.472.6477 orielstat.com7
This is an example of an ISO 13485:2016 audit plan for individual processes. It also shows the ISO 13485:2016clauses that would typically be relevant for each process.PROCESS4.1 4.2 5.1 5.2 5.3 5.4 5.5 5.6 6.1 6.2 6.3 6.4 7.1 7.2 7.3 7.4 7.5 7.6 8.1 8.2 8.3 8.4 8.5Management Customer ibrationSales/MarketingQuality AssuranceQuality ControlAccounting/Finance Creating Your Working DocumentsAn essential part of the audit planning stage involves preparation of the working documents. You’llusually do some of this in parallel with the documentation review portion of the audit, which will giveyou information about specific topics and information paths to follow during your on-site audit.Working documents typically include checklists, audit sampling plans and forms for recording meeting attendance, audit evidence, and audit findings (corrective action reports, nonconformity reports).Checklists are good tools, as they save valuable time and ensure that important items are not missedduring the audit. It is worth spending time on these, because checklists can be adapted for use inother audits and improved based on your experience over time. Just remember: As you’re auditing,don’t use checklists like a script; instead, consider them only as a guide. Also, don’t forget to safeguardand treat your audit documents as confidential or proprietary at all times.Notifying Your AuditeeThe final step in the preparation phase is to confirm the audit details with your auditee. This correspondence comes from the lead auditor and must follow company procedures and address all points fromany previous phone discussions, meetings, or emails. The notification must confirm the date, time, andplace of the opening meeting and include the audit plan and proposed schedule/agenda. (Optionally,you could include a copy of your checklists if they will aid understanding, but there are pros and cons todoing so.) The purpose of this notification is to ensure there are no misunderstandings.8orielstat.com 800.472.6477
A detailed audit plan will be very specific about times, participants, and process areas.AUDIT PLAN FOR ISO 13485PURPOSE: Evaluation for CertificateSCOPE: Milltown, CA SiteAUDITEE: Superior Products, Inc. (SPI)REPRESENTATIVE: G. HillAUDITOR: Oriel STAT A MATRIXLEAD AUDITOR: J.T. KirkJuly 26, YYYYAuditor 1Auditor 2Auditor 38:00–8:15Arrive on siteArrive on siteArrive on site8:15–8:45Opening meetingOpening meetingOpening meeting8:45–9:30Tom Gauss,Measurement SystemsJohn BlackTom Silver (plating process)9:30–11:00John Smith, VP(re: mgt. program)Ellen Brown, DesignDavid Jones, Mgr. (re: training)11:00–12:00Jack Gordon, Mgr.(re: audit program)Carol Baker, Mgr. (re: corrective& preventive action)Larry Gomez, VP(re: 002:00–3:15Ed Burke, Eng.(re: operations control)Joe Green, Eng. (re: planningof realization process)Susan Green, Mgr.(re: customer satisfaction)Robert Hall, VP (re: purchasing)3:15–4:45Tom Sparky (re: Welding Shop)Alice White, Mgr.(re: documentation)Jim Dayton, Mgr. (re: pening Meeting:Debriefing:2nd Shift Observations:Closing Meeting:July 26, YYYY, 8:15 a.m.July 26 & 27, YYYY, 4:45 p.m.July 27, YYYY, 6:00–10:00 p.m.July 28, YYYY, 2:00 p.m.Note: This is the first day of a three-day audit. List ofapplicable procedures to be audited is attached.Prepared by: J.T. Kirk, July 7, YYYYApproved by: M. Scott, July 8, YYYYThe Opening Meeting of the On-Site AuditYou have spent weeks preparing for your audit. All documentation has been reviewed, schedulescreated, auditees notified, and checklists confirmed. Now it’s time for the scary part: Conducting theaudit! If you have done your job well to this point, the audit should be the easy part because you willsimply be executing a well-choreographed plan.On the morning of Day 1, you will host the opening meeting. There are many things you will want toaccomplish during this meeting, including:800.472.6477 orielstat.com9
Record the name and title of all participants. Introduce audit team members and state each member’s responsibilities.–– Ask the auditee team to do the same. Discuss the responsibilities of auditee management. Confirm the purpose and scope of the audit, and confirm the audit plan (typically sent a few weeksprior to the opening meeting). 1 Describe the audit methodology (e.g., interviewing, observing, reviewing documentation, takingnotes, recording findings, classifying nonconformities, etc.). State the audit objectives and emphasize that the audit will try not to interfere with operations. Confirm the working hours, meal breaks, and time for daily debriefings. Confirm the time of the closing meeting, and state how long it will take after that meeting until theaudit report is issued.Average ISO 13485:2016 Audit DurationISO audit duration is based on the number of employees in the facility and the scope of the QMS.The risk associated with the device is also a factor. For example, there is certainly more risk associatedwith manufacturing heart valves than manual wheelchairs, and this impacts audit length. TheInternational Accreditation Forum documents MD-5 and MD-9 set guidelines for internal auditdays as well as general protocols for conducting an ISO audit. It should be noted, however, that thistype of audit length determination is trending out with the use of audit duration calculations usedin the Medical Device Single Audit Program Model (MDSAP). MDSAP audits are based on the numberof elements to be covered in the audit. These types of audits can be considerably longer than anISO audit.What Is MDSAP?The Medical Device Single Audit Program – or MDSAP – allows a single audit of a medicaldevice manufacturer’s quality management system (QMS) to satisfy the regulatoryrequirements of Australia, Brazil, Canada, Japan, and the United States. The MDSAPaudit model covers the requirements of ISO 13485 plus Good Manufacturing Practicerequirements for each applicable regulatory authority.The MDSAP program does not yet extend to cover the quality and safety requirementsof Europe. Thus, you will still need to undergo a separate Notified Body audit tomaintain compliance with EU requirements.1Note that the scheduled times of daily debriefings and the closing meeting should be included in the audit plan.10orielstat.com 800.472.6477
Conducting the On-Site Audit and Avoiding Rabbit HolesAll that preparation you did in the weeks leading up to the audit will now pay off. You should makeevery effort to deal directly with the people involved in implementing the system. People, not documents,make or break a system. When you start performing the audit, it is important to remember that anaudit is really a method of sampling and is conducted to get a sense of what is happening. Considerstratified random sampling to focus the audit based on risk (e.g., rather than taking a random sampling of purchase orders, stratify the population by criticality to focus on what is important). You needto be sure that the auditee is not cherry-picking documents to show you. You should dictate thedocuments you want to see, reviewing the requisite number of samples stipulated in your audit plan.During the audit, you will invariably come across people who nervously ramble, digress, or areintentionally vague or evasive. In these cases, it is important that you remain courteous but persistent. Be polite but insist on getting details needed to answer the question. Don’t go down the rabbithole with someone who is trying to explain something that is irrelevant. It is the auditor’s job to keepthe auditee on track and extract the information needed. That being said, you are encouraged toexplore problems to the fullest extent possible rather than skipping over a problem so you can touchlightly on other subjects. Accordingly, you may need to go beyond your checklist to dig deeper andlook at key process interactions that may be relevant (e.g., purchasing and production interaction).Audit Interviewing TipsAuditees often get nervous during an ISO 13485:2016 audit because they sometimes feel as thoughthey are being personally interrogated. To gain their cooperation, it is important that you set a commonality of perceived purpose in the opening meeting. Your common goal is to ensure that thecompany has a quality management system that is effective and conforms to requirements, not tothrow someone under the bus. Make sure to tell the auditee that you will be taking notes during aninterview. Refer to your checklists repeatedly but don’t read verbatim from them; instead, use thechecklist items as a framework for discussion. To get relevant, complete information fr
Role of the Lead Auditor Every audit has a lead auditor – even if it’s the only auditor! This person represents the team in communication with the auditee and management. The lead auditor also defines the requirements of each audit assignment, including qualification of other audit team members.
The primary international version is ISO 13485:2003. The variant EN ISO 13485:2012 is the latest European harmonized version of ISO 13485; it replaces the prior harmonized version, EN ISO 13485:2003, which is now considered to be obsolete. EN ISO 13485:2012 is applicable only to manufacturers placing devices on the market in Europe.
ISO 13485 clauses 4.2.1, 5.4.1 Annex IX (Chapter I) 03 Quality Manual 9 03 Quality Manual ISO 13485 clauses 4.2.1, 4.2.2 04 Human Resources 10 04 Procedure for Human Resources ISO 13485 clause 6.2 11 04.1 Appendix 1 -Training Program ISO 13485 clause 6.2 12 04.2 Appendix 2 - Training Record ISO 13485 clause 6.2 13 04.3
resulting in the standard now having 10 clauses, where previously there were 8. The 3rd edition of ISO 13485 will keep the current clause structure and a new Annex is proposed for ISO 13485 to provide a clause by clause correlation between the new revisions of ISO 9001 and ISO 13485. The new revisions of both ISO 9001 and ISO 13485 have anFile Size: 375KB
ISO 13485:2016 Annexes Annex A Comparison of content between ISO 13485:2003 and ISO 13485:2016 – comments on changes Annex B Correspondence between ISO 13485:2016 and ISO 9001:2015 – top level clause mapping European Annexes - ZA (AIMD), ZB (MDD) and ZC (IVD) Identifies relationship between the European StandardFile Size: 855KB
ISO 13485:2016 did NOT follow ISO 9001:2015 into the Higher Level Structure format ISO 9001:2015 now has 7* QS core “Processes” ISO 13485:2016 retains 5* QS core “Processes” Annex B of ISO 13485:2016 provides a handy cross-reference between ISO
ISO 13485 OPPOSED TO ISO 9001 _ As mentioned above, ISO 13485 is based on the structure of ISO 9001, even though it is a stand-alone standard. Despite that both standards are organized in the same way, ISO 13485 excludes ISO 9001 requirements related to continual improvement and customer s
ISO 9001:2008 –3 instances of the word “risk” ISO 9001:2015 –43 instances of the word “risk” ISO 13485:2003 –4 instances of the word “risk” ISO 13485:2016 –32 instances of the word “risk” “13485 Plus” is a guidance document that was publishe
ISO 13485:2016-based Quality Management System by clearing up any misconceptions regarding the standard'srequirements. . ISO 13485 has an additional set of requirements specific to the medical device industry, and it discards some of the requirements of the new ISO 9001. Therefore, compliance with ISO 13485 does not imply
